First off I'm searching for "Simultaneous-Use must be set to a value from at least 2" leave empty in free radius. I can't find it in CP. Using PF2.0.1I have tried this Mac auth both ways and neither work. If I set the value "Pass-through credits allowed per MAC addres" too 2 I can get through a router with 2 laptops connected to a router wan too pf lan. but the Cp status shows

I think you mixed up different things. I hope I could make it clear :-)

1.) Simultaneous-UseTo check for simultaneous connections there are two possibilities when using freeradius and CP. You can enable "Disable concurrent logings" on CP page. Then the CP itself checks for simultaneous connections.

The other possibility is to use "Simultaneous-Use" on freeradius. This ONLY works if you have accounting enabled. If you set it to "1" then only one connection per time is allowed. If you leave it empty, unlimited connections are allowed.

BUT if you use the "re-autheticate every minute" on CP then you have to leave the "Simultaneous-use" check empty or set it to 2 or higher. This is because of the way CP sends the re-authentication oackets/attributes.

2.) MAC based authentication and CP:Captive Portal isn't using a real "Plain Mac-Auth". CP is doing 802.1X auth BUT is uses the MAC address as username and the "shared-secret" you entered on CP. So every authentication has the same shared secret but the username changes because it is the MAC address.So in freeradius you have to enter the MAC address in "Users" as username and the shared secret as password.

In freeradius -> settings there is a setting "Enable Plain MAC-Auth". You do NOT need this when using with CP and it will NOT work with CP.

3.) Bandwidth restrictions:If you set a value on CP then all users which authenticate through the CP will have this bandwidth limit. If you like to set individual bandwidth limits then set any value or "0" on CP because this value will be opverwritten by freeradius. So you have to set the limit on freeradius under "Users" tab.

PS: Bandwidth limit is not 100% sure to work - test it. If it doesn't work it is a problem of CP.

Hey Thanks for taking time to explain that. After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead. Now she's ticking away and working. The user speed limit seems to work. Set it to 256K up down and a speed test verified that. Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

I also need to know how it regulates speed as compared to the traffic shaper.

I tested the shaper once regulating speed . All it does is drop packets , making the end user take longer to download . In the end wan usage from the ISP almost doubled in the 2 months I tested this.

Does CP do the same?

Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well? Thanks Allan

Hey Thanks for taking time to explain that. After getting confirmation on all of the above I pulled a Sherlock Holmes and found that using 127.0.0.1 as the ip of the radius server does not work. I had to all the LAN adapter IP there instead. Now she's ticking away and working.

If you use * as interface IP then radius is listening on all interfaces. Probably the easiest one for testing.

Now I'll test the usage daily and hope monthly works. I read about a 6 meg counter bug does that still apply with the 2.0.1 version?

This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)

Also If I have a static route 3rd nic going off too different servers will CP limit speed to this lan as well? Thanks Allan

All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.

Do you mean the limit set on CP only or do you mean the override freeradius does ?

The freeradius limiter for the user mac seems to work great.

Quote

This bug is still present on 2.0.1 but as far as I know it is fixed in 2.1. There was a ticket open on redmine which was closed.When trying to limit the amount of traffic please read the freeradius2 documentation carefully - about accounting updates and so and and read the "KNOWN BUGS" to make sure you know what is going on :-)

I'm testing the daily limit set in freeradius2 right now I set 1000MB and will download some files from an HFS server through the WAN.

Quote

All users which use the CP as authentication will be affected by the limits - no matter which destination their traffic has. But you can add a "Pass-through IP address" on CP. So you are able to bypass the CP for specific destination IPs.

The "bug" I mentioned above is that it counts traffic wrong but in general it is working. What your log means - I don't know. It is related to CP or in other word it is a CP log and not a freeradius log.Did you read the documentation of freeradius about "acct_unique" ? Probably disable acct_uniqueDid you set any idle/hard timeout on CP which causes this problem ? disable or set the timeouts high enough for testingDid you set re-authenticate every minute on CP ? you need this so that freeradius can reject access if the limit is reached

Can the user get access or does it timeout when accounting and usage limit is enabled ?

Yes all the files exist . I have opened the daily data file and in bytes it had the number that matched the MB limit I set for the user 505 MB When in fact I downloaded close too 2.5 GB off my server. And it's not a server I set in the allowed IP field. I thought that might stop the counter from working.

radiusd -XYou can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

radiusd -XYou can see all the output. Try to connect with a client from CP and check the output when the client reaches the limit. (Acct-Input-Octets and Acct-Output-Octets) will show you the bytes tranferred.

Ok I see it says Cat/var/log/radacct/daily/max-octets-bunch of numbers No such file or dircetory

Apr 17 10:13:38 admin: FreeRADIUS: Credentials are probably correct but the user 00X23X69XfbX79X33 has reached the daily Amount of Upload and Download Traffic which is 0 MB! The user was rejected!!!So I put " 1048576000 " into the modified file and was able to log back in just fine .